Overview
IPsec (short for IP security) is defined by a set of protocols which were developed
by the Internet Engineering Task Force (IETF) to allow secure communication of IP
datagrams over an untrusted network such as the Internet to create a Virtual Private
Network (VPN). The latest IPsec proposed standards are defined in a series of Request For
Comments (RFC 4301 to 4309) plus RFC 4835 which details the requirements for
ESP cryptographic algorithm support. The set of protocols described within these RFC's provide
for the access control, encryption, authentication, data integrity and key exchange
mechanisms required to ensure data security between two communicating network devices at
the IP layer.
The most commonly used IPsec protocol for securing IP traffic is Encapsulating Security
Payload (ESP) as described in RFC 4303 which provides data confidentiality, data origin
authentication, connectionless integrity, an anti-replay service, and limited traffic
flow confidentiality for IPv4 and IPv6 traffic. ESP may be used to provide security
either between a pair of communicating network hosts, between a pair of security gateways,
or between a network host and a security gateway. Our
ESP Primer
provides a basic introduction to ESP and how the Helion ESP Engine may be utilised to
accelerate IPsec packet processing.
Helion ESP Engine
The Helion ESP Engine is designed to provide hardware acceleration of all ESP packet
processing tasks including the encapsulation, padding, encryption and authentication algorithms
required to implement a high throughput IPsec solution in FPGA or ASIC. In addition to
greatly increasing the IPsec data throughput, offloading ESP packet processing into hardware
allows a system CPU to concentrate on the more complex IPsec processing tasks which are more
suited to software such as the Internet Key Exchange (IKE). IKE is responsible for
establishment and maintenance of secure connections, as well as performing mutual
authentication and key exchanges with other IPsec endpoints.
Its modular architecture provides full support for all ESP encryption and authentication
algorithms specified by RFC 4835 as well as proposed combined mode algorithms such as
AES-CCM and AES-GCM which may become future requirements for IPsec implementations. Typically
only a subset of these algorithms will be implemented, but as a minimum at least one
confidentiality algorithm and one authentication algorithm must be supported to allow the full
range of security service types to be offered and to ensure IPsec compliance.
The Helion ESP Engine can be configured to support as few, or as many, confidentiality and
authentication algorithms as required for an optimum IPsec solution.
Features
- Supports all ESP encryption and authentication algorithms specified in RFC 4835
- Configurable modular architecture supports one or more confidentiality and
authentication algorithms which may be dynamically selected during operation
- Available with either High rate, or Lower rate/low resource usage AES security modules
- Supports all three ESP security service combinations
- Suitable for use in IPv4 and IPv6 IPsec applications
- Supports both Transport and Tunnel mode operation
- Extended (64-bit) Sequence Number support
- Supports optional insertion of padding for Traffic Flow Confidentiality (TFC)
- Automatic ESP default padding generation and checking
- Supports Gigabit/s data throughputs in high-performance target technologies
The Helion ESP Engine is available in versions for use in ASIC, Altera and
Xilinx FPGA, and in common with all Helion IP cores has been designed with each
technology firmly in mind to yield the very best and most efficient results.
Whitepapers
Click here for the Helion IPsec ESP Primer (PDF format)
Datasheets
Click here for the Altera FPGA core data sheet (PDF format)
Click here for the Xilinx FPGA core data sheet (PDF format)
Software support
In addition to the ESP core, comprehensive software support is available to allow
the user to implement a fully compliant IPsec solution running in a combination of
software and hardware. Please visit our security software
partners page for more information on the availability of these fully integrated
solutions.
Contact
For more detailed information on these or any of our other products and services,
please feel free to email us at
helioncores@heliontech.com and we will be pleased to discuss how we can assist
with your individual requirements.
| 
